SlideShare a Scribd company logo

OpenShift & SELinux with Dan Walsh @rhatdan

Download as ODP, PDF
OpenShift Origin
OpenShift Origin

Containing the Gear: Deep Dive on SELinux, Multi-tenancy, Containers & Security with Dan Walsh Presenter: Dan Walsh In this talk, Dan will do a deep dive into the Origin PaaS use of SELinux and containerization. He will discuss how SELinux being utilized to ensure that Origin is the the most secure PAAS available today. He will address some of his ideas for the future of Origin and SELinux. From 2013-04-14 OpenShift Origin Community Day in Portland, Oregon

Technology
1 of 21
OpenShift & SELinux Dan Walsh Twitter: #rhatdan Blog: danwalsh.livejournal.com Email: dwalsh@redhat.com
SELinux is a LABELING System ● Everything has a label – Process,file,dir, chr_file, blk_file, port, node. ● SELinux Policy defines that access between process labels and all other labels. ● The Kernel controls the access.
Security Goals http://en.wikipedia.org/wiki/Maginot_line
SELinux is Type Enforcement ● system_u:system_r:openshift_t:s0:c1,c2 ● SELinux is Type Enforcement seinfo -t | grep openshift openshift_mail_tmp_t, httpd_openshift_content_t, openshift_cgroup_read_tmp_t, openshift_initrc_tmp_t, openshift_var_lib_t, openshift_var_run_t, openshift_app_t, openshift_min_t, openshift_net_t, openshift_tmp_t, openshift_min_app_t, openshift_net_app_t, openshift_cgroup_read_t, httpd_openshift_script_exec_t, openshift_cron_tmp_t, openshift_initrc_t, httpd_openshift_script_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_rw_file_t, openshift_log_t, openshift_cron_t, openshift_mail_t, openshift_port_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_openshift_htaccess_t, openshift_cgroup_read_exec_t, openshift_t, openshift_tmpfs_t
SELinux is Type Enforcement ● Process Labels can be on Files ● File Labels can not on Processes ● openshift_t -> Process ● openshift_var_lib_t -> File
SELinux is MCS ● system_u:system_r:openshift_t:s0:c1,c2 ● Multi Category System ● MCS Separation is for like types, but totally separated ● openshift_t:s0:c1,c2 -> openshift_var_lib_t:s0:c1,c2 ● openshift_t:s0:c3,c4 -> openshift_var_lib_t:s0:c3,c4
Libvirt – Dynamic Labeling in action openshift_t:MCS1 openshift_t:MCS2 Kernel SELinux Host Hardware memory, storage, etc. openshift_t:MCS1 openshift_t:MCS2
MCS Labeling based on UID def gen_level(uid): SETSIZE=1023 TIER=SETSIZE ORD=uid; while ORD > TIER: ORD = ORD - TIER; TIER= TIER - 1; TIER = SETSIZE - TIER; ORD = ORD + TIER; return "s0:c%d,c%d" % (TIER, ORD)
How do the labels get on gears ● Host receives packet for a gear – OpenShift server ● launches application with correct SELinux label. ● Sends packet to application ● If connection comes in via git or ssh – Ssh uses pam_openshift ● Launch sh with correct context ● Launch git with correct context
DEMO
Monitoring Logs
Problems with OpenShift Security ● Gear Application == Administrator of Gear – Same UID – Same SELinux Label openshift_t ● Solution: – openshift_t ● Administrator of gear – openshift_app_t ● Type of the application – openshift_var_lib_t ● openshift_t can read/write/execute ● openshift_app_t can read/execute – openshift_rw_file_t ● openshift_t & openshift_app_t can read/write/execute
Problem with OpenShift Security ● All gears run as openhift_t – All have same network access. ● openshift_t/openshift_app_t ● openshift_net_t/openshift_net -app_t ● openshift_min_t/openshift_min_app_t
What about trust between nodes. ● IPTables not enough ● Node1:Gear1 can not attack Node1:gear2 ● Node1:Gear1 can attack Node2:gear2 ● Labeled Networking between Nodes – Based on MLS CIPSO Labels ● Labeled Networking SELinux rules – Node1:Gear1 can use Node2:gear1 – Node1:Gear1 attacking Node2:gear2 blocked ● Requires UID being the same between nodes.
Problems with SELinux Confinement ● Node Separation – 127.0.0.1 blocked to all. – We do not want multiple Domains binding to 127.0.0.1:8080 ● First one wins ● Apps trying to do SELinux stuff ● SELinux blocks access to processes but it knows they are there.
Secure Linux Containers
Containers != Security ● Running root in a container, machine pwned ● Local Privilege Escalation, machine pwned ● Much of the system is not containerized. – Audit – /sys ● selinuxfs, cgroupfs, sysfs – Need to block mount – Need to block mknod
Linux Namespaces ● Mount : mounting/unmounting filesystems – Currently used by Openshift for /tmp, /var/tmp and /dev/shm ● UTS : hostname, domainname ● IPC : SysV message queues, semaphore/shared memory segments ● Network: IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock – Critical to fix localhost problem ● Pid: Private /proc, multiple pid 1's ● UID: Just showing up in the Kernel now..
Libvirt-lxc ● Boot “init” binary ● SELinux Types + MCS ● Firewall ebtables/ip[6]tables ● Host FS passthrough bind mounts ● CGroups resource control ● Available in RHEL6.4 – But your on your own...
virt-sandbox ● Package to help managing Linux Containers
DEMO

Recommended

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
KVM_security
KVM_securityKVM_security
KVM_securityFrank Caviggia
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in KubernetesThomas Fricke
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 

Recommended

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
KVM_security
KVM_securityKVM_security
KVM_securityFrank Caviggia
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in KubernetesThomas Fricke
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDieter Reuter
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Codemotion
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Cohesive Networks
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor VolkovKuberton
 
Leveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettLeveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettDocker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
It takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff LindsayIt takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff LindsayDocker, Inc.
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on RailsJonathan Weiss
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyFaheem Memon
 
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...OpenShift Origin
 
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane MuellerOpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane MuellerOpenShift Origin
 

More Related Content

What's hot

Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDieter Reuter
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Codemotion
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Cohesive Networks
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor VolkovKuberton
 
Leveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettLeveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettDocker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
It takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff LindsayIt takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff LindsayDocker, Inc.
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on RailsJonathan Weiss
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyFaheem Memon
 

What's hot (20)

Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 
Leveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettLeveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan Hazlett
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
It takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff LindsayIt takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff Lindsay
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on Rails
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with Trivy
 

Viewers also liked

From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...OpenShift Origin
 
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane MuellerOpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane MuellerOpenShift Origin
 
surat pekeliling -bil2-2011 penambahbaikan pmr
surat pekeliling -bil2-2011 penambahbaikan pmrsurat pekeliling -bil2-2011 penambahbaikan pmr
surat pekeliling -bil2-2011 penambahbaikan pmrCIKGU AHMAD
 
Dsp d seni visual tahun 2 tambahbaik feb 2013
Dsp d seni visual tahun 2 tambahbaik feb 2013Dsp d seni visual tahun 2 tambahbaik feb 2013
Dsp d seni visual tahun 2 tambahbaik feb 2013CIKGU AHMAD
 
Dsp p moral tahun 1 penambahbaikaN jan 2013
Dsp p moral tahun 1 penambahbaikaN jan 2013Dsp p moral tahun 1 penambahbaikaN jan 2013
Dsp p moral tahun 1 penambahbaikaN jan 2013CIKGU AHMAD
 
surat pekeliling -bil1-2011 penambahbaikan upsr
surat pekeliling -bil1-2011 penambahbaikan upsrsurat pekeliling -bil1-2011 penambahbaikan upsr
surat pekeliling -bil1-2011 penambahbaikan upsrCIKGU AHMAD
 
Survey into video games behaviors v3
Survey into video games behaviors v3Survey into video games behaviors v3
Survey into video games behaviors v3Josh May
 
3 standard prestasi bahasa cina sk tahun 2 05012012
3 standard prestasi bahasa cina sk tahun 2 050120123 standard prestasi bahasa cina sk tahun 2 05012012
3 standard prestasi bahasa cina sk tahun 2 05012012CIKGU AHMAD
 
6 dsp matematik tahun 2
6 dsp matematik tahun 26 dsp matematik tahun 2
6 dsp matematik tahun 2CIKGU AHMAD
 
OpenShift Origin Internals
OpenShift Origin Internals OpenShift Origin Internals
OpenShift Origin Internals OpenShift Origin
 
Dsp b iban tahun 1 tambahbaik feb 2013
Dsp b iban tahun 1 tambahbaik feb 2013Dsp b iban tahun 1 tambahbaik feb 2013
Dsp b iban tahun 1 tambahbaik feb 2013CIKGU AHMAD
 
17 dsp bahasa inggeris sjk tahun 2
17 dsp bahasa inggeris sjk tahun 217 dsp bahasa inggeris sjk tahun 2
17 dsp bahasa inggeris sjk tahun 2CIKGU AHMAD
 
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...OpenShift Origin
 
ShapeBlue South Africa Launch-Iaas business use cases
ShapeBlue South Africa Launch-Iaas business use cases ShapeBlue South Africa Launch-Iaas business use cases
ShapeBlue South Africa Launch-Iaas business use cases ShapeBlue
 
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague OpenShift Origin
 
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...OpenShift Origin
 
Containerization using docker
Containerization using dockerContainerization using docker
Containerization using dockerVinod Doshi
 
Essence Of Containerizati on 230508
Essence Of Containerizati on 230508 Essence Of Containerizati on 230508
Essence Of Containerizati on 230508 jansowri
 

Viewers also liked (20)

From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
 
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane MuellerOpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
 
Fairy tails 1
Fairy tails 1Fairy tails 1
Fairy tails 1
 
surat pekeliling -bil2-2011 penambahbaikan pmr
surat pekeliling -bil2-2011 penambahbaikan pmrsurat pekeliling -bil2-2011 penambahbaikan pmr
surat pekeliling -bil2-2011 penambahbaikan pmr
 
Dsp d seni visual tahun 2 tambahbaik feb 2013
Dsp d seni visual tahun 2 tambahbaik feb 2013Dsp d seni visual tahun 2 tambahbaik feb 2013
Dsp d seni visual tahun 2 tambahbaik feb 2013
 
Dsp p moral tahun 1 penambahbaikaN jan 2013
Dsp p moral tahun 1 penambahbaikaN jan 2013Dsp p moral tahun 1 penambahbaikaN jan 2013
Dsp p moral tahun 1 penambahbaikaN jan 2013
 
surat pekeliling -bil1-2011 penambahbaikan upsr
surat pekeliling -bil1-2011 penambahbaikan upsrsurat pekeliling -bil1-2011 penambahbaikan upsr
surat pekeliling -bil1-2011 penambahbaikan upsr
 
Survey into video games behaviors v3
Survey into video games behaviors v3Survey into video games behaviors v3
Survey into video games behaviors v3
 
3 standard prestasi bahasa cina sk tahun 2 05012012
3 standard prestasi bahasa cina sk tahun 2 050120123 standard prestasi bahasa cina sk tahun 2 05012012
3 standard prestasi bahasa cina sk tahun 2 05012012
 
6 dsp matematik tahun 2
6 dsp matematik tahun 26 dsp matematik tahun 2
6 dsp matematik tahun 2
 
OpenShift Origin Internals
OpenShift Origin Internals OpenShift Origin Internals
OpenShift Origin Internals
 
Dsp b iban tahun 1 tambahbaik feb 2013
Dsp b iban tahun 1 tambahbaik feb 2013Dsp b iban tahun 1 tambahbaik feb 2013
Dsp b iban tahun 1 tambahbaik feb 2013
 
17 dsp bahasa inggeris sjk tahun 2
17 dsp bahasa inggeris sjk tahun 217 dsp bahasa inggeris sjk tahun 2
17 dsp bahasa inggeris sjk tahun 2
 
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...
 
ShapeBlue South Africa Launch-Iaas business use cases
ShapeBlue South Africa Launch-Iaas business use cases ShapeBlue South Africa Launch-Iaas business use cases
ShapeBlue South Africa Launch-Iaas business use cases
 
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague
 
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...
 
Containerization using docker
Containerization using dockerContainerization using docker
Containerization using docker
 
Essence Of Containerizati on 230508
Essence Of Containerizati on 230508 Essence Of Containerizati on 230508
Essence Of Containerizati on 230508
 
DevOps @ OpenShift Online
DevOps @ OpenShift OnlineDevOps @ OpenShift Online
DevOps @ OpenShift Online
 

Similar to OpenShift & SELinux with Dan Walsh @rhatdan

Shall we play a game
Shall we play a gameShall we play a game
Shall we play a gamejackpot201
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....Sadia Textile
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfnicerussianpainter
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Anthony Wong
 
OpenVZ Linux containers
OpenVZ Linux containersOpenVZ Linux containers
OpenVZ Linux containersOpenVZ
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager Alison Chaiken
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex
 

Similar to OpenShift & SELinux with Dan Walsh @rhatdan (20)

0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdf
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
OpenVZ Linux containers
OpenVZ Linux containersOpenVZ Linux containers
OpenVZ Linux containers
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
SystemV vs systemd
SystemV vs systemdSystemV vs systemd
SystemV vs systemd
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
 

More from OpenShift Origin

DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...
DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...
DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...OpenShift Origin
 
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12X
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12XOpenShift Anywhere given at Infrastructure.Next Talk at #Scale12X
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12XOpenShift Origin
 
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...OpenShift Origin
 
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift Origin
 
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...OpenShift Origin
 
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...OpenShift Origin
 
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...OpenShift Origin
 
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion Roma
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion RomaOpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion Roma
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion RomaOpenShift Origin
 
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks Event
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks EventOpenShift Overview Presentation by Marek Jelen for Zurich Geeks Event
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks EventOpenShift Origin
 
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...OpenShift Origin
 
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on OpenstackLinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on OpenstackOpenShift Origin
 
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P... Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...OpenShift Origin
 
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...OpenShift Origin
 
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...OpenShift Origin
 
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane MuellerPutting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane MuellerOpenShift Origin
 
Putting The PaaS in OpenStack with Diane Mueller @RedHat
Putting The PaaS in OpenStack with Diane Mueller @RedHat Putting The PaaS in OpenStack with Diane Mueller @RedHat
Putting The PaaS in OpenStack with Diane Mueller @RedHat OpenShift Origin
 
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhat
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhatWelcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhat
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhatOpenShift Origin
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...OpenShift Origin
 
Introduction to OpenShift Origin- Private, Public and Community
Introduction to OpenShift Origin- Private, Public and CommunityIntroduction to OpenShift Origin- Private, Public and Community
Introduction to OpenShift Origin- Private, Public and CommunityOpenShift Origin
 

More from OpenShift Origin (19)

DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...
DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...
DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...
 
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12X
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12XOpenShift Anywhere given at Infrastructure.Next Talk at #Scale12X
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12X
 
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...
 
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
 
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
 
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...
 
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...
 
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion Roma
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion RomaOpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion Roma
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion Roma
 
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks Event
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks EventOpenShift Overview Presentation by Marek Jelen for Zurich Geeks Event
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks Event
 
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...
 
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on OpenstackLinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
 
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P... Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...
 
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
 
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
 
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane MuellerPutting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
 
Putting The PaaS in OpenStack with Diane Mueller @RedHat
Putting The PaaS in OpenStack with Diane Mueller @RedHat Putting The PaaS in OpenStack with Diane Mueller @RedHat
Putting The PaaS in OpenStack with Diane Mueller @RedHat
 
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhat
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhatWelcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhat
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhat
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
 
Introduction to OpenShift Origin- Private, Public and Community
Introduction to OpenShift Origin- Private, Public and CommunityIntroduction to OpenShift Origin- Private, Public and Community
Introduction to OpenShift Origin- Private, Public and Community
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

OpenShift & SELinux with Dan Walsh @rhatdan

  • 1. OpenShift & SELinux Dan Walsh Twitter: #rhatdan Blog: danwalsh.livejournal.com Email: dwalsh@redhat.com
  • 2. SELinux is a LABELING System ● Everything has a label – Process,file,dir, chr_file, blk_file, port, node. ● SELinux Policy defines that access between process labels and all other labels. ● The Kernel controls the access.
  • 3. Security Goals http://en.wikipedia.org/wiki/Maginot_line
  • 4. SELinux is Type Enforcement ● system_u:system_r:openshift_t:s0:c1,c2 ● SELinux is Type Enforcement seinfo -t | grep openshift openshift_mail_tmp_t, httpd_openshift_content_t, openshift_cgroup_read_tmp_t, openshift_initrc_tmp_t, openshift_var_lib_t, openshift_var_run_t, openshift_app_t, openshift_min_t, openshift_net_t, openshift_tmp_t, openshift_min_app_t, openshift_net_app_t, openshift_cgroup_read_t, httpd_openshift_script_exec_t, openshift_cron_tmp_t, openshift_initrc_t, httpd_openshift_script_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_rw_file_t, openshift_log_t, openshift_cron_t, openshift_mail_t, openshift_port_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_openshift_htaccess_t, openshift_cgroup_read_exec_t, openshift_t, openshift_tmpfs_t
  • 5. SELinux is Type Enforcement ● Process Labels can be on Files ● File Labels can not on Processes ● openshift_t -> Process ● openshift_var_lib_t -> File
  • 6. SELinux is MCS ● system_u:system_r:openshift_t:s0:c1,c2 ● Multi Category System ● MCS Separation is for like types, but totally separated ● openshift_t:s0:c1,c2 -> openshift_var_lib_t:s0:c1,c2 ● openshift_t:s0:c3,c4 -> openshift_var_lib_t:s0:c3,c4
  • 7. Libvirt – Dynamic Labeling in action openshift_t:MCS1 openshift_t:MCS2 Kernel SELinux Host Hardware memory, storage, etc. openshift_t:MCS1 openshift_t:MCS2
  • 8. MCS Labeling based on UID def gen_level(uid): SETSIZE=1023 TIER=SETSIZE ORD=uid; while ORD > TIER: ORD = ORD - TIER; TIER= TIER - 1; TIER = SETSIZE - TIER; ORD = ORD + TIER; return "s0:c%d,c%d" % (TIER, ORD)
  • 9. How do the labels get on gears ● Host receives packet for a gear – OpenShift server ● launches application with correct SELinux label. ● Sends packet to application ● If connection comes in via git or ssh – Ssh uses pam_openshift ● Launch sh with correct context ● Launch git with correct context
  • 10. DEMO
  • 12. Problems with OpenShift Security ● Gear Application == Administrator of Gear – Same UID – Same SELinux Label openshift_t ● Solution: – openshift_t ● Administrator of gear – openshift_app_t ● Type of the application – openshift_var_lib_t ● openshift_t can read/write/execute ● openshift_app_t can read/execute – openshift_rw_file_t ● openshift_t & openshift_app_t can read/write/execute
  • 13. Problem with OpenShift Security ● All gears run as openhift_t – All have same network access. ● openshift_t/openshift_app_t ● openshift_net_t/openshift_net -app_t ● openshift_min_t/openshift_min_app_t
  • 14. What about trust between nodes. ● IPTables not enough ● Node1:Gear1 can not attack Node1:gear2 ● Node1:Gear1 can attack Node2:gear2 ● Labeled Networking between Nodes – Based on MLS CIPSO Labels ● Labeled Networking SELinux rules – Node1:Gear1 can use Node2:gear1 – Node1:Gear1 attacking Node2:gear2 blocked ● Requires UID being the same between nodes.
  • 15. Problems with SELinux Confinement ● Node Separation – 127.0.0.1 blocked to all. – We do not want multiple Domains binding to 127.0.0.1:8080 ● First one wins ● Apps trying to do SELinux stuff ● SELinux blocks access to processes but it knows they are there.
  • 17. Containers != Security ● Running root in a container, machine pwned ● Local Privilege Escalation, machine pwned ● Much of the system is not containerized. – Audit – /sys ● selinuxfs, cgroupfs, sysfs – Need to block mount – Need to block mknod
  • 18. Linux Namespaces ● Mount : mounting/unmounting filesystems – Currently used by Openshift for /tmp, /var/tmp and /dev/shm ● UTS : hostname, domainname ● IPC : SysV message queues, semaphore/shared memory segments ● Network: IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock – Critical to fix localhost problem ● Pid: Private /proc, multiple pid 1's ● UID: Just showing up in the Kernel now..
  • 19. Libvirt-lxc ● Boot “init” binary ● SELinux Types + MCS ● Firewall ebtables/ip[6]tables ● Host FS passthrough bind mounts ● CGroups resource control ● Available in RHEL6.4 – But your on your own...
  • 20. virt-sandbox ● Package to help managing Linux Containers
  • 21. DEMO

Editor's Notes

  1. When writing SELinux policy, the first thing to understand, what is your security goal. For most people the security goal is to get to as close as minimal access to allow the confined application to get its job done and prevent its ability to effect other applications. For a lot of applications, you can configure the application to run in different Ways. Ftp for example can be configured to allow anonymous access to files, or access to users home directories, or access to the entire system. When you have an application like this, you can use booleans to allow administrators to reconfigure the policy, for their environment. When you are writing policy it is always good to ask experts about the policy you have written to see if you are allowing more access then necessary or if they know a better way to write the policy.
  2. This slide shows one Virtual machine running as svirt_t:MCS1 and the other virtual machine running as svirt_t:MCS2. Which their image files labeled as svirt_image_t:MCS1 and svirt_image_t:MCS2. The same attack we saw before is being blocked by SELinux in the host kernel, and this protects Host as well as all virtual machines from attacking each other.